Remediation
From Console
-
Log in to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/.
-
In the left navigation panel, click
Databases. -
Select the database instance that needs to be encrypted.
-
Click the
Actionsbutton at the top right and selectTake Snapshot. -
On the Take Snapshot page, enter a name for the snapshot in the
Snapshot Namefield and clickTake Snapshot. -
Select the newly created snapshot, click the
Actionsbutton at the top right, and selectCopy snapshotfrom the menu. -
On the Make Copy of DB Snapshot page, perform the following:
- In the New DB Snapshot Identifier field, enter a name for the new snapshot.
- Check
Copy Tags. The new snapshot must have the same tags as the source snapshot. - Select
Yesfrom theEnable Encryptiondropdown list to enable encryption. You can choose the AWS default encryption key or a custom key from the Master Key dropdown list.
-
Click
Copy Snapshotto create an encrypted copy of the selected instance snapshot. -
Select the new encrypted snapshot copy, click the
Actionsbutton at the top right, and selectRestore Snapshot. This restores the encrypted snapshot to a new database instance. -
On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field.
-
Review the instance configuration details and click
Restore DB Instance. -
After the new instance is provisioned, update application configuration to use the endpoint of the new encrypted database instance. Once the database endpoint is changed at the application level, remove the unencrypted instance.
From Command Line
-
Run the
describe-db-instancescommand to list all RDS database names available in the selected AWS region. The output returns the database instance identifier.aws rds describe-db-instances --region {{region-name}} --query 'DBInstances[*].DBInstanceIdentifier' -
Run the
create-db-snapshotcommand to create a snapshot for the selected database instance. The output returns the new snapshot name.aws rds create-db-snapshot \
--region {{region-name}} \
--db-snapshot-identifier {{DB-Snapshot-Name}} \
--db-instance-identifier {{DB-Name}} -
Run the
list-aliasescommand to list the KMS key aliases available in the specified region. The output returns each key alias. For this process, locate the ID of the AWS default KMS key.aws kms list-aliases --region {{region-name}} -
Run the
copy-db-snapshotcommand using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot. The output returns the encrypted instance snapshot configuration.aws rds copy-db-snapshot \
--region {{region-name}} \
--source-db-snapshot-identifier {{DB-Snapshot-Name}} \
--target-db-snapshot-identifier {{DB-Snapshot-Name-Encrypted}} \
--copy-tags \
--kms-key-id {{KMS-ID-For-RDS}} -
Run the
restore-db-instance-from-db-snapshotcommand to restore the encrypted snapshot created in the previous step to a new database instance. If successful, the output returns the new encrypted database instance configuration.aws rds restore-db-instance-from-db-snapshot \
--region {{region-name}} \
--db-instance-identifier {{DB-Name-Encrypted}} \
--db-snapshot-identifier {{DB-Snapshot-Name-Encrypted}} -
Run the
describe-db-instancescommand to list all RDS database names available in the selected AWS region. The output returns database instance identifier names. Select the encrypted database name that you just created,DB-Name-Encrypted.aws rds describe-db-instances --region {{region-name}} --query 'DBInstances[*].DBInstanceIdentifier' -
Run the
describe-db-instancescommand again using the RDS instance identifier returned earlier to determine whether the selected database instance is encrypted. The output should return the encryption statusTrue.aws rds describe-db-instances \
--region {{region-name}} \
--db-instance-identifier {{DB-Name-Encrypted}} \
--query 'DBInstances[*].StorageEncrypted'